New Research Settles A Very Old Debate in Cybersecurity

Today, we’ve released the seventh edition of our joint research series, “Prioritization to Prediction,” and it contains a potentially surprising new finding: A common practice in cybersecurity does more harm than good. 

The analysis, conducted by the researchers at Cyentia Institute, found that when security researchers disclose exploit code to the public before a software developer can offer a patch, it offers clear and definitive advantages to attackers. 

While it may seem obvious to say that giving people tools to exploit a vulnerability makes it more likely people will use them to try to exploit a vulnerability, it flies in the face of some conventional wisdom in the cybersecurity research ecosystem. 

For years  — decades even —  software developers have formed a working relationship with the security researchers that identify vulnerabilities and craft new ways to exploit them. In many ways, the relationship was mutually beneficial. After all, the vulnerabilities exist whether the researchers find them or not. By notifying companies about their discoveries, security researchers help developers improve overall security.

The research community often argued that disclosure of exploit code motivated companies to patch vulnerabilities faster all while making it easier to detect the existence of those vulnerabilities.

But, in about one-third of the cases, exploit code made its way to the public before the vendor offered a patch. That had very big consequences indeed. It gave attackers a nearly 100-day head start in which they could deploy an exploit faster and more frequently than defenders could patch the IT assets on which the vulnerability was found. 

On top of that, the disclosure of exploit code- usually in repositories like GitHub or in exploit kits or tools – drove a massive volume of exploitation. Just 3.7 percent of the 150,000 vulnerabilities in the Common Vulnerabilities and Exposures database had evidence of exploitations in the wild. For some of those vulnerabilities, we can’t confirm the existence of publicly available exploit code, and it’s possible that there is none, since some attacks don’t require it. But about 85 percent of exploitation volume comes from vulnerabilities with published exploit code. 

This analysis builds on research in Prioritization to Prediction 6: The Attacker-Defender Divide. That report provided pretty strong evidence that the system of coordinated disclosure could be strengthened with longer timelines. It could not, however, rule out the arguments typically made by security researchers. The analysis showed that release of exploit code does not lead to earlier remediation, Likewise, analysis rejected the hypothesis that disclosure of exploit code facilitated earlier detection. The analysis found that for a limited number of vulnerabilities, the release of exploit code does facilitate early detection, but the effect is far from widespread. 

The findings present some thorny challenges to the community. Clearly, developers should be given more time to create and push patches. This is already happening in some places (perhaps because of P2P Vol 6). Google’s Project Zero, for example, has recently changed its policies to add more time between when it discovers a vulnerability, and when it announces it, and it now waits longer after a patch has been released to disclose technical details of a vulnerability. 

But what happens when developers don’t bother to write a patch, or don’t respond to security researchers that make them aware of vulnerabilities? Surely we need to bake more time into the system, but removing the threat of disclosure altogether could have unintended side effects. 

The analysis performed by Cyentia Institute is rigorous and methodical. But the nature of discovery means researchers should be open to debate. And so, we encourage you to download our analysis and we look forward to having more discussions with you.

To read the latest research on the disclosure of exploit code download Volume 7 of the P2P series: Establishing Defender Advantage